• LastPass hacked, hashed/salted master passwords and password hints exposed
    74 replies, posted
What ever happened to writing your passwords down on a piece of paper.
[QUOTE=redBadger;47989129]What ever happened to writing your passwords down on a piece of paper.[/QUOTE] The fact that that's [del]probably[/del] more insecure.
[QUOTE=redBadger;47989129]What ever happened to writing your passwords down on a piece of paper.[/QUOTE] Also less convenient. Like hold on lemme get my notepad, look for that sites password and type out the 20 character gibberish.
If we're honest, the advice "never write down your password" is basically for office and corporate use, and the general public took a common-sense business environment security practice home where it doesn't always make as much sense. Not writing passwords down in a large office building makes sense, because all you need is Marcia from Accounting to write down the one password she uses for everything and now everyone knows how much everyone else makes and Marcia seems to wander between floors giving people unauthorized and undocumented pay raises at random, even when she's in the hospital giving birth. A rival writes his password down and some embarrassing emails get ghostwritten over lunch one day. And so on. On the other hand, passwords for internet things in a family environment, especially if it's a couple living alone together, either before/never-will children or after they've left, that's different. Doubly so on shared family accounts, such as the WiFi password or the Netflix password There are certainly accounts with passwords that should remain secret to only the one user or a finite number of people (e.g. parents and not the kids), such as email and bank accounts, but Microsoft won't melt your Xbox One because you wrote the password on a list of shared family accounts.
[QUOTE=SGTNAPALM;47972965]So the way this works is, the reason I'm using it, is I now understand how it works and why it's absolutely trustable, is that very much like Jungle Disk, which we've talked about in the past, all the encryption is done locally. That is, at no point does LastPass receive anything other than what looks like a block of pseudorandom noise. We've talked about how, when you take so-called plaintext, the normal readable, human readable, your username as an email address and your actual password, and you encrypt it with a good cipher, it turns it into, under the influence of a key, which is the key to the whole process, under the influence of the key, it turns it into noise, absolute pseudorandom bits that mean nothing. So that's what the LastPass system gets and saves. It is absolutely no use to anyone because they never get the key. And they've gone to great lengths to arrange never to get the key. When you log into their system, you do so with your username, which is your email address, and your password. That's put together, it's concatenated into one long string. They sanitize the username a little bit. They lowercase it, and they remove the so-called white space, you know, spaces and things. That just makes it a little more robust. The password they don't change at all. So that remains case-sensitive, and special characters and things can be in there. They leave that alone. But, for example, email addresses are not case sensitive. You can change the case in an email address. And so since they're using their email address, people's email addresses as their password, users might not be careful about the case in their email addresses, so they make that case-insensitive. They always lowercase the email address ASCII characters, the alphabetic characters. So they put all this together into one blob. Then they do something called a "hash." They use SHA-256, which is a - SHA stands for Secure Hashing Algorithm. The listeners that have been listening to the podcast for years know what that means. For people new to this, a hash is what's called a one-way function. You can take any amount of text or anything, binary data, anything, any amount of data, and run it through this process called "hashing," which always results in a fixed-size thing, sort of a fixed-size token. And what's unique about this is it is "computationally infeasible," is the technical jargon that cryptographers use, to go the other direction. That is, it's very easy to put stuff into this - think of it like sort of as a meat grinder. But it's impossible to ungrind the meat. It's been ground up. It's been completely - it's been turned into this 256-bit result such that anything you change in the input changes everything about the bits in the output. Yet anybody, no matter how much they want to, no matter how much they look at it, they can't go the other direction. So the idea is that when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA - it lowercases the email address, removes the white space, adds the password, and then it does this hash to it, turning it into a 256-bit blob which tells the blob holder nothing about your username and password. It's just like it's been digested into this thing. In fact, hashes are called "digests," also, for that reason. What that is, is that is your cryptographic key. That's the key which your system will use, both to encrypt your data which is being shared with LastPass Corporate, and also to decrypt it when LastPass Corporate sends this back to you. They're holding the encrypted results of your own personal database, just because that's what they do. That's the service they provide, essentially, that and creating all these amazing plug-ins for everything anyone's ever heard of. So but what they're holding, they have no ability to decrypt. They never get the key. That never leaves your system. Now, they do need to know that it's you. That is, they need to know that it is you who are logging in. And so there needs to be an authentication process, so you identify yourself to them. But we don't want them to get the key. So what they do is, they take that key, the cryptographic key, and they add your password to it, that is, they concatenate your password to your cryptographic key, and they hash that. So they do another one-way function on your crypto key with your password, which they don't know because they never get it. But they get another blob. So this second blob, this second output from the hash, that's your unique ID. That is, the only way to get that is if you take your username and password, hash it, then add the password to that and hash it again. So it absolutely depends upon both of those pieces of information. So then your username and that goes to LastPass to identify you. And because that contains your password twice hashed into it, nobody who doesn't have your password, even if they have your email address, is able to produce that blob. So you have to have your email address and your password run through this hash twice to get that blob. But notice that your cryptographic key, which is sort of the first byproduct of that because that's the output from the first hash, that goes into the second hash but is lost in the hashing process, thanks to it being mixed with your password. So the LastPass people never get your crypto key. They get a different unique token that identifies you to them so that you're able to log on securely to their facility. And these guys are so paranoid that they don't even save that on their servers. They don't even save that special logon blob, the output from that second hashing process. Instead they, at the time you create your account, they come up with, they use a random number generator at their headquarters to create a unique 256-bit token which they save with your account. And whenever you're logging in, they take this 256 blob you're sending them that's the result of these two hashing processes. They add that to this unique 256k random number, and they hash that. And that's what they compare to what's stored with your account. Which is to say they never store that logon token. They store the result of hashing that logon token with a unique 256-bit value that they created for you. So they dynamically see if it's the same, but they never save your logon token. They just - they don't want it. They don't need it. So they're able to perform a dynamic check whenever you need to authenticate, but they don't keep it statically. So, I mean, this thing is secure every way you can imagine. And it's simple. The reason it appeals to me is that there's no hocus-pocus, there's no mumbo-jumbo, I mean, I can explain it to you and understand it, which means I believe it. Because there's no, oh, then a miracle happens, and just trust us. That's not necessary. The result of this 256-bit hash where they take your username and password and hash that to get the key for the encryption, that is used with the industrial-strength, maximum-strength, AES 256-bit cipher that we've talked about, which takes 128-bit blocks at a time and turns it into 128 bits of gibberish under the influence of the key.[/QUOTE] Funny that I randomly stumbled upon the video that this was taken from. Here's the video in case anyone wants to listen instead of reading: [video=youtube;r9Q_anb7pwg]https://www.youtube.com/watch?v=r9Q_anb7pwg[/video] Quote begins at 1:13:19 exactly.
Sorry, you need to Log In to post a reply to this thread.